Innervision Privacy Policy

Last updated: June 16, 2026 — Effective date: June 16, 2026

Innervision Technologies, Inc. ("Innervision," "we," "us," or "our") provides workflow-intelligence and automation software that observes how work is performed on computers and turns it into structured insights and AI agents. Because our software observes on-screen work, we take privacy seriously and explain our practices in plain language below.

This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with our websites, our desktop capture agent, our cloud services, and our web dashboard (together, the "Services"). It does not change any agreement you or your organization has with us; if a Master Service Agreement, Data Processing Addendum, or our Terms of Service conflict with this Policy with respect to a customer's data, those agreements control.

1. Our Two Roles — Please Read First

Innervision plays one of two roles depending on the data:

  • As a processor (service provider). When our desktop agent records and analyzes on-screen activity for a customer organization, the customer (your employer) decides to deploy the Services, what is captured, and why — the customer is the "controller," and Innervision acts as a "processor" on the customer's documented instructions under our Data Processing Addendum. We do not decide the purposes of that processing.
  • As a controller. For information we collect for our own purposes — account registration, billing and business contacts, support, security, and visitors to our public website — Innervision is the controller.

If you are an employee or contractor of an Innervision customer: the recording and analysis of your on-screen work is governed by your organization's policies and its agreement with us. For questions about why you are being recorded, your choices, or to exercise rights over that data, please contact your employer first. We will support your employer in responding to your request, as described in Section 10.

2. Information We Process

2.1 Workforce activity data (we act as processor)

When a customer deploys our desktop capture agent on a user's device, and after the user has been presented with a consent notice, the agent may capture:

  • Screen recordings — video of the screen (by default 1920×1080 at 25 frames per second, stored as short encoded segments) and periodic and event-triggered still images (keyframes).
  • On-screen text — text extracted from the screen via optical character recognition (OCR) and the operating system's accessibility interfaces, including the names and titles of the active application, window, and on-screen UI elements.
  • Interaction events — mouse clicks, scrolls, and trackpad gestures (coordinates, timing, and the associated application/window/UI element).
  • Keystroke data — only if your organization enables it. Keyboard capture is off by default and must be explicitly turned on. When enabled, we record printable characters typed in non-secure fields together with the active application and window. Text entered into password fields and other secure-input fields is detected and redacted at the point of capture — the characters are never stored (we mark such events as redacted). We do not capture audio (microphone or system), and we do not capture clipboard contents.
  • Device and session identifiers — a device hardware fingerprint, device hostname, and stream/session identifiers used to organize and attribute recordings.

2.2 Derived and analysis data (we act as processor)

Our AI pipeline transforms the captured data into structured outputs, including session transcripts, step-by-step workflow descriptions, a knowledge graph of tools/screens/actions, and vector embeddings used for search. These derived artifacts are stored under the customer's tenant and may themselves contain or reference on-screen content.

2.3 Account and authentication data (we act as controller)

To provide access to the Services we process account identifiers and profile data from your organization's identity provider, including username, first and last name, email address, organization/company identifier, and role assignments. Authentication is handled through our identity system (Keycloak / OIDC); we maintain session records to keep you signed in.

2.4 Business contact and billing data (we act as controller)

If you contact us, sign up, or transact with us, we process your name, email, company, and the content of your communications. (We do not currently process payment-card data through the Services.)

2.5 Website data (we act as controller)

Our public website (innervision.ai) is a static site. We do not use third-party advertising or analytics trackers on it. The web dashboard uses a strictly necessary, HTTP-only session cookie to keep you authenticated.

2.6 Service, diagnostic, and security data (we act as controller)

The desktop agent and our cloud services generate operational telemetry — application logs, performance and reliability metrics, error reports, hardware/OS information, and network diagnostics — sent to our own systems to operate, secure, and improve the Services. Before this telemetry leaves the device, we scrub direct identifiers (usernames, home-directory paths, and email addresses are removed). Screen content and captured images are excluded from logs and monitoring.

3. How We Collect Information

  • From the desktop agent, after a consent notice is shown and (where required) accepted. Recording state is always indicated to the user (a recording indicator in the tray/menu bar), and the user can pause or stop at any time. Recording auto-pauses when the screen locks and stops after extended inactivity.
  • From you and your organization, when accounts are provisioned, you sign in, or you contact us.
  • Automatically, through service logs and diagnostics as described in Section 2.6.

4. How We Use Information

We use personal information to:

  • provide, operate, and secure the Services and process on-screen activity into workflow intelligence and AI agents (as processor, on the customer's instructions);
  • authenticate users, manage accounts, and provide support;
  • monitor performance and stability, detect and prevent fraud, abuse, and security incidents, and debug issues;
  • improve and develop our products and services using service/diagnostic data and de-identified or aggregated data; and
  • comply with law and enforce our agreements.

Where we act as controller and the law requires a legal basis (e.g., GDPR/UK GDPR), we rely on performance of a contract, our legitimate interests in operating and securing the Services, your consent where applicable, and compliance with legal obligations. Where we act as processor, our customer is responsible for establishing the legal basis for processing workforce activity data.

5. Artificial Intelligence and Third-Party Model Providers

Analyzing on-screen work necessarily involves sending captured frames and related metadata to vision-language and large-language models. Depending on the customer's configuration, these models are operated by third-party AI providers, currently including Google (Gemini via Google AI Studio and/or Vertex AI), Anthropic (Claude), OpenAI, and Amazon Web Services (Bedrock), as well as embedding models from these providers.

Important points about this processing:

  • Inference only. We use these providers to analyze data on a per-request basis. We do not permit our customers' data to be used to train or fine-tune third-party or shared models.
  • Transient handling. Media uploaded to a provider for analysis is processed per request and deleted after processing (either automatically by the provider's short retention window or by us).
  • We require these providers to handle data under their applicable enterprise/API terms, and we manage them as subprocessors (Section 6).

6. How We Share Information — Subprocessors

We do not sell personal information, and we do not "share" it for cross-context behavioral advertising (as those terms are defined under U.S. privacy laws). We disclose information only to:

  • Subprocessors that help us run the Services, currently in the following categories:

- Cloud infrastructure — Amazon Web Services (compute, storage, databases, key management, backup, networking) in the United States.
- AI model providers — Google, Anthropic, OpenAI, and AWS Bedrock, as described in Section 5.
- Observability — Datadog (application monitoring, logging, and APM), configured to exclude screen content and captured images.

  • Professional advisers, auditors, and authorities, where required by law, subpoena, or court order, or to protect rights, safety, and the integrity of the Services.
  • Acquirers, in connection with a merger, financing, reorganization, or sale of assets, subject to this Policy.

A current list of subprocessors is available on request at admin@innervision.ai, and customers are notified of changes to subprocessors as provided in our Data Processing Addendum.

7. International Data Transfers

We host and process data in the United States (primary processing in AWS US East (Ohio); additional environments in US East (N. Virginia); backups replicated to US West (Oregon)). If you or your organization is located outside the United States, your information will be transferred to and processed in the United States and other countries where we or our subprocessors operate. Where required, transfers of personal data from the EEA, UK, or Switzerland are made under appropriate safeguards such as the European Commission's Standard Contractual Clauses; the customer, as controller, determines whether such transfers are permitted for workforce activity data.

8. Data Retention

We retain personal information for as long as needed to provide the Services and for legitimate business and legal purposes:

  • On the device, recordings are stored only transiently and are removed after they are successfully uploaded to our cloud.
  • Workforce activity and derived data are retained under the customer's tenant for the duration of the customer's subscription. Following expiration or termination, we have no obligation to retain customer data and may delete it, as described in our Terms of Service; residual copies may persist in standard backups for a limited period and remain subject to confidentiality and security controls.
  • Backups are retained on a rolling basis (for example, database backups for 7 days, broader backups for up to 30 days, with disaster-recovery copies retained up to 30 days).
  • Operational logs archived for security and compliance are retained for at least 12 months.

When a customer account is closed, we delete the customer's tenant resources (including its dedicated storage and identity organization) in accordance with our agreement.

9. Security

We apply administrative, technical, and physical safeguards designed to protect personal information, including:

  • Encryption in transit (TLS 1.2+; our storage rejects non-TLS connections) and encryption at rest (AWS KMS for object storage, databases, graph, and cache; a customer-managed key with rotation for media storage).
  • Tenant isolation — each customer's data is logically isolated, enforced in the application/data layer by an immutable organization identifier and, for stored media, by per-tenant storage.
  • Access controls — single sign-on (OIDC), least-privilege roles, short-lived, narrowly scoped upload credentials, and audit-logged, role-restricted administrative access.
  • Capture-time redaction of password and secure-input fields, and scrubbing of direct identifiers from telemetry.
  • Threat detection and network isolation — managed threat detection, private networks, flow logging, and centralized secret management.

We maintain a security program aligned to SOC 2 and continuously monitor our controls. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Your Privacy Rights

Depending on where you live and our role, you may have rights to access, correct, delete, or receive a copy of your personal information; to opt out of sale/sharing (we do not sell or share); to limit certain uses of sensitive information; and to be free from discrimination for exercising your rights.

  • Workforce activity data (we are processor). Direct your request to your employer (the controller). If you contact us directly, we will refer you to your organization and assist them in responding.
  • Data for which we are controller. Submit a request to admin@innervision.ai. We will verify your request and respond within the timeframes required by applicable law. You may use an authorized agent where the law permits.

We do not use automated decision-making that produces legal or similarly significant effects about you without a lawful basis.

11. Children's Privacy

The Services are intended for use by businesses and their workforce and are not directed to children. We do not knowingly collect personal information from anyone under 18. We also instruct customers not to submit data regulated as children's data.

12. Data We Are Not Designed to Process

The Services are not intended for, and customers must not submit, "Prohibited Data" — including protected health information regulated by HIPAA, payment-card data subject to PCI DSS, special categories of data under GDPR Article 9, data regulated under COPPA or Gramm-Leach-Bliley, and government-issued identification numbers. Innervision is not a HIPAA Business Associate. If you believe such data has been captured inadvertently, contact us so it can be removed.

13. Changes to This Policy

We may update this Policy to reflect changes to the Services or the law. We will post the updated Policy with a new "Last updated" date and, for material changes, provide additional notice (for example, by email or in-product notice). Your continued use of the Services after the effective date constitutes acceptance.

14. Contact Us

For privacy questions or to exercise your rights:

Innervision Technologies, Inc.
Attn: Privacy
908 Harold Drive, Incline Village, NV 89451
admin@innervision.ai